CVE-2024-1440 | THREATINT

Description

An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.

PUBLISHED Reserved 2024-02-12 | Published 2025-06-02 | Updated 2025-06-02 | Assigner WSO2

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Problem types

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Product status

Default status

unaffected

Any version before 5.10.0

unknown

5.10.0 (custom) before 5.10.0.278

affected

5.11.0 (custom) before 5.11.0.347

affected

6.0.0 (custom) before 6.0.0.185

affected

6.1.0 (custom) before 6.1.0.145

affected

7.0.0 (custom) before 7.0.0.30

affected

Default status

unaffected

Any version before 3.1.0

unknown

3.1.0 (custom) before 3.1.0.262

affected

3.2.0 (custom) before 3.2.0.344

affected

4.0.0 (custom) before 4.0.0.296

affected

Default status

unaffected

Any version before 5.10.0

unknown

5.10.0 (custom) before 5.10.0.298

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 (custom) before 2.0.0.308

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 (custom) before 2.0.0.327

affected

Default status

unknown

5.17.5 (custom) before 5.17.5.256

affected

5.18.187 (custom) before 5.18.187.257

affected

5.23.8 (custom) before 5.23.8.174

affected

5.25.92 (custom) before 5.25.92.77

affected

7.0.78 (custom) before 7.0.78.18

affected

7.0.111 (custom)

unaffected

References

security.docs.wso2.com/...ty-advisories/2024/WSO2-2024-3171/ vendor-advisory

cve.org (CVE-2024-1440)

nvd.nist.gov (CVE-2024-1440)

Download JSON